|
Contents |
Knowing the basics of cookies and sessions is essential to any successful PHP programmer. It is useful to store pieces information on the users computer for later use. Things like when they last visited, language of choice, age, etc. Cookies and Sessions are the perfect solution to our needs.
Now it is important to understand that while these two are very similar, one is not better than the other. Many times, both can be used side by side without any problem. Lets start with Cookies and how they work.
A Cookie is a piece of information stored on the users computer that can be retrieved later on. The most important thing to remember before using cookies is that the user may have turned off cookie support on their browser. So it is vital to let the user know that some functions may not be available to that user unless they enable cookies, or better yet, create a work around for them. Think of cookies like a variable that can be accessed between pages and sometimes between sessions(user leaves your site and comes back later).
Lets look at some code. Most of the time I like to see if cookies are enabled on the users computer before doing anything else.
This script sets up a cookie labeled 'test' on the users machine which contains the string 'enabled'. It is very important to note that this function MUST be used before any output on the page, if you do not do this you will get an error about modifying header information. The third part about the function tells the browser how long it should keep the cookie. In this case we are keeping the cookie for one hour. Another way to look at it is that we are telling the browser to expire this cookie at the current time plus 60 seconds times 60 minutes, or one hour. If we do not specify an expire date, the cookie will be erased once the browser is closed.
Now that our cookie is set up, we can use it on every page after this one, meaning if we try to access the cookie on the same page as we declared it, it will not work. So on page two we can check to see if cookies are enabled on this user's browser.
This simple if-else script will display whether or not our cookie is functioning properly. As you can see, we access information stored in cookies by using $_COOKIE[].
I like to store a lot of user preferences using cookies on my sites. Things like their preferred language, login preferences, etc are perfect for cookies to handle. Cookies should never be used to hold sensitive information (passwords, credit cards #s, etc). Since any user can edit his or her cookie data it is vital to never store these types of information in cookies. I made the mistake of using cookies to tell whether my users were logged in and what their access level was.. big mistake.
Sessions can solve a lot of headaches cookies sometimes can't handle. Sessions act very much like cookies but it has its perks and drawbacks. The bad news is that sessions only last through until the user has left the web page. The good news is that sessions will work even if cookies are not enabled. When a session is created, PHP assigns the browser a session ID which, normally, it first tries to store in a cookie. If that fails it will automatically pass the session ID through the url. The nice thing is that PHP takes care of all this for you.
The first thing we have to do is to create a session.
This function must be at the beginning of every php file you expect to use sessions with. This tells php to create a session ID and assign it to the user, or to look for an existing session ID.
As you can see, you can use $_SESSION variables on the same page that you start the session, and assign the variable. Because the information is stored server-side and the only thing the user has access to is the session ID, sessions are somewhat more secure than cookies but still vulnerable to attack. For this reason I use sessions to remember whether or not a user is logged in but keep in mind it is not fool proof.
To log users out I send them to a page similar to this one.
This will erase all session data including the session ID.
As you can see Cookies and Sessions are very useful when used correctly. When deciding whether to use cookies or sessions here are a few things to remember.
| Browser needs Cookies Enabled? | Can User Edit Information? |
Information Lasts Between Browser Sessions? (Leaving site and coming back) |
Information Location | |
| Cookies |
Yes | Yes, easily |
Yes | User's Browser |
| Sessions |
No |
No* | No | Server, except for session ID |
*Users can not modify the information contained in sessions but others can steal session ids and impersonate victims (Difficult to pull off).
Session Handling Functions - PHP User Manual on Session Functions
Cookies and Sessions - A Wikipedia type site for a book. The chapter on cookies and sessions.
PHP Sessions: Why Use Them? - A great tutorial about the situations to use sessions and how to implement them.
Comments
No comments yet. Be the first!